The bill amends the Security Breach Notification Act by modifying enforcement provisions and establishing new liability protections for private entities in the event of a cybersecurity breach. It grants the Attorney General or district attorneys exclusive authority to enforce violations, allowing them to seek actual damages and civil penalties up to $150,000 per breach. The bill also introduces a framework for determining penalties based on the severity of the breach and the entity's conduct.

A significant addition to the law is the provision that a private entity cannot be held liable in a class action lawsuit resulting from a cybersecurity event unless it is proven that the event was caused by the entity's willful and wanton conduct or gross negligence. This aims to limit the liability of private entities while still holding them accountable for serious breaches. The bill is set to take effect on November 1, 2026.

Statutes affected:
Introduced: 24-165